If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

Stanford compromised.

Somehow, I really cannot see these guys as being that sophisticated. JTR isn't that unique, although it's kept up-to-relative-date. I think it's more that they didn't want people to think they were easily broken into. This, I believe, is part of the TeraGrid project that got compromised earlier this week. Perhaps more of a PR statement (it was a sophisticated attack rather than we screwed up attack) so they don't lose funding from major sponsors of the project.

edit

As I was sending this info to a colleague (he's interested in starting a grid project at my college) it occurred to me that the sniffing technique might have been something as simple as ettercap. Given that the passwords could even be sniffed makes me wonder what kind of secure connections, if any, were being used. Perhaps they went with telnet because it was easier to use to maintain the Grid?

Malicious hackers using sophisticated password-sniffing techniques have compromised multi-user Linux and Solaris computers that run academic supercomputer centers, according to an advisory issued by the Stanford University's IT Systems and Services (ITSS) unit.

Stanford said the unknown attacker (or group) gains access to a machine by cracking or sniffing passwords and uses a variety of exploits to escalate local user accounts to root privileges.

"The attacker appears to be deliberately targeting machines in academic and high performance computing environments, rather than attacking systems indiscriminately," the ITSS said. It urged students to report instances of sluggishness and quality degradation.

Chris Wysopal, vice president of research and development at security firm @Stake, said academic supercomputer networks in the U.S. are common targets for both lone wolf Black Hat hackers and small groups of skilled attackers.

"These high-performance supercomputers are always going to be a target for attackers, because they have great CPU power that they can use to do things like crack passwords and crack crypto," he told internetnews.com. "They have lots of bandwidth, so if they want to do a denial of service attack against some target, they can do it. If you look back four years ago to when Yahoo! and Amazon and eBay were knocked off the Internet, they traced back a lot of the machines that were part of the [distributed denial of service] network to high-performance academic machines."

Stanford's security unit discovered the malicious hacks because users found that the login information had changed or logins from unusual locations. In particular, the university said system administrators should look for multiple failed logins coming from more than one user's ID or coming from outside the research location.

Other signs of server compromises include unexpected errors generated when a computer reboots.

Stanford's ITSS urged users of Solaris or Linux computers ensure systems are running the most recent kernel versions and all security relevant patches.

According to the alert, the attackers use a password decoding application called "John the Ripper" to compromise the systems. "The attacker is knowledgeable about Kerberos as well as other authentication systems, and has been observed running dictionary attacks against Kerberos passwords, as well as local password databases," it added.

In cases where the target machine is running known vulnerable versions of an OS or an application, the attacker is able to "get root." With root privileges, the attacker can replace core utilities and applications on the victim machine, usually with the intention of capturing more usernames and passwords, and making it easier for himself to access the machine at a later time, the school explained.

"Given the sophistication of these attacks, and the difficulty involved in removing rootkits and illicit access mechanisms, we strongly recommend that compromised hosts be taken off line and completely rebuilt, including a fresh install of the operating system and application of all relevant patches."

Wysopal praised the university's security department for putting together such a comprehensive report of the events, saying its a great educational document other administrators should look at to see how these types of attacks happen.

"It drives home the fact that everyone needs to be vigilant about patching, everyone needs to be vigilant about their system configuration and it doesn't matter what operating system you have," he said.

A news report from the Washington Post's online site suggested it was a concerted attack on "as many as 20 institutions" in recent weeks. The report linked networks from the National Center for Atmospheric Research, the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign, the San Diego Supercomputer Center at the University of San Diego, California, and the TeraGrid project operated by the University of Chicago.

Both Wysopal and Mike Higgins, a former operations division director at the Center for Information Systems Security Program (CISSP) and creator of the first Defense-Wide Computer Emergency Response Team (DOD-CERT), think the attacks might be a coincidence, given the attractiveness of high-performance computer networks in general.

"Yes, we have seen slow systematic probing of systems for years now, however we have not seen any link between the reported activity and the systems that we monitor," Higgins said in an email interview. "American universities have historically been a favorite target of hackers."

Higgins said universities could face potential liabilities for any attack launched from an exploited network that disabled online activities such as online banking. Companies in the past have been affected in this way, they just aren't publicized, he said.

"The country as a whole is making progress to properly secure our networks and systems," he said. "For example, [Health Insurance Portability and Accountability Act] and Graham-Leach-Bliley Acts are the policies that lay the foundation for securing America's data. If you were to compare the 'State of the Internet' to the 'State of the Hack,' we are not where we need to be, but we are moving in the right direction."

According to the alert, the attackers use a password decoding application called "John the Ripper" to compromise the systems. "The attacker is knowledgeable about Kerberos as well as other authentication systems, and has been observed running dictionary attacks against Kerberos passwords, as well as local password databases," it added.

Ummm.... dictionary word. Password. Sensitive system. Not a good idea....

"Given the sophistication of these attacks, and the difficulty involved in removing rootkits and illicit access mechanisms, we strongly recommend that compromised hosts be taken off line and completely rebuilt, including a fresh install of the operating system and application of all relevant patches."

You allowed a rootkit in? Whoever is in charge of security here should be dragged out back and shot.

has been observed running dictionary attacks against Kerberos passwords

It implies that they sat and watched him doing it..... ROFL

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Stanford, Wow!
I have a concern that should alert Antionline users. This is really serious also. Many personal computer user's who are relying on simple security, shop online.
There is a bad War taking place this moment in Iraq as most of us Americans are aware of.
However, in Nigeria, where supporters have been located from ICQ numbers, there is a bank.
World Bank. Some of us may even be members of this World Banking system.
Thier is a serious scam arising.
Poor people, or any hacker who just seems to need a few extra dollars in their pocket leading to millions in some cases, are notifying persons online, through your personal hotmail account normally, " You have a ancestor that has died!" adding" We are sorry for your loss, however they left several million dollars that is sitting in our bank, thus naming World Bank"
The catch phrase here is sitting.
Once investigated I have found out, that the bank know's nothing of the missing person who's account has gone silent. Or in other circumstances you may have opened door number 2 and been choosen to inherit unclaimed money, with the stipulation that this so called contact over sea's normally in Nigeria, hire an attorney for you to claim your long lost relatives money, as long as you split the amount with them, since they are the so called finder and have glanced at these records in their bank during lunch time.
Upon investigation: World Bank is an upright secure banking system worldwide. They have investigators that they employ. However in third world countrys, the terrorists seemingly are claiming at least half of unclaimed money through internet contact.
The contact let us say in Lagos Nigeria, sends you an important email, telling you of the loss of a long lost relative with an American sounding or similar name as your birth certificate. They as far as my investigation has lead me, must be reading the USGen Web Project or traveling back and forth to read local birth cirtificates. Up to this point the information is solid.
Then the hit comes!
They ask you to deposit money so they can hire an attorney for you, as in my clients case it was 2 thousand stirlings, or aprox. $2,000.00. They constantly call you, I did intercept the phone call and found it was all coming through the exact same ICQ, plus traced all calls and numbers back to Lagos, Nigeria. The names changed, the place did not.
The bank looses nothing nor is responsible for any transaction they recieve into the account you deposit it into.
Somehow, they then hack into where you deposited your money, and wipe you out?So I concluded this has got to be an inside job? Any input would be greatly appreciated.
I have notifyed another case taking place in the UK to MI-6 and this is common.
Their newest and latest target is now Amsterdam.
They are committing Interpolt fraud, and crossing all sorts of criminal standards.
I feel this has to be Al Queda. Someone who possibly trained at a place such as MIT or even a computer engineer such as Stanford. My recomendation to anyone affected by this crime, is to contact their local FBI offices. Speak freely to an agent, as this is a well known scam.
As a privateer I try and help whom I can. However my resources are limited, and I am only placing this as a warning, that such practices sadly are attacking the citizens of the USA and Great Britian and probably now some of our other allies in Europe. I did trace some local transactions taking place on the West Coast of the USA, however I also have learned of ones taking place in and amongest our Arab allies.
I honestly suppose it is hard to imagine new users to the internet being fooled this way, but as for me I feel sorry for them.
The money is being used to support the war efforts and training cells of Terrorism. It surpass
s our FDIC by going through a World Bank who in reality is trying to help underdeveloped nations to rise. Sad indeed. I hope anyone who reads this is not a victim and if you have any information about this I certainly appreciate comments and suggestions.
We know the Internet has so called Dumpster Divers, however this is more personal and strange! Thank you for your time and patience in reading my concern.

the attackers use a password decoding application called "John the Ripper"

Since when was John the Ripper a password decoding application? I know this is picky, but it annoys me that that was put in a report from a university's IT department. If they had said a password cracker, that would have been alright, but by saying decoder they were implying that John decodes passwords which AFAIK it doesn't.

It's also possible to take something else from that comment: they were using some sort of reversible encryption (Incredibly unlikely...nay, impossible), so why say decoder? Argh!